US federal government and cybersecurity researchers say a newly discovered security bug found in Microsoft's SharePoint is under attack.
The US cybersecurity agency CISA issued an alarm this weekend that hackers are actively using bugs. Microsoft has yet to provide patches for all affected SharePoint versions, and customers around the world can barely defend against ongoing intrusions.
Microsoft said the bug, officially known as CVE-2025-53771, affects the version of SharePoint that companies configure and manage on their own servers. SharePoint companies can store, share and manage internal files.
Microsoft said it is working on security fixes to prevent hackers from exploiting vulnerabilities. A flaw called “zero-day” affects older software versions, such as SharePoint Server 2016, because the vendor was not given time to patch the bug before it was recognized.
It is still unclear how many servers are at risk so far, but it is possible that thousands to medium-sized companies that rely on software are being affected. Several US federal agencies, universities and energy companies have already been violated by the attack, according to the Washington Post.
Ie's Security, which first revealed the bug on Saturday, said it discovered “dozens” of Microsoft SharePoint servers that were actively exploited online at the time of publication. A bug can, if exploited, allow hackers to steal private digital keys from SharePoint servers without the need for credentials to log in. Hackers can plant malware remotely and access files and data stored inside. Eye Security warned that SharePoint could connect with other apps like Outlook, Teams, OneDrive, allowing further network compromises and data theft.
According to Eye Security, the bug involves theft of digital keys because it requires both affected customers to impersonate a legitimate request on the server, performing additional steps to patch the bug and rotate the digital key, and performing additional steps to prevent hackers from reconfiguring the server.
CISA and others are urging customers to “take immediate and recommended actions.” In the absence of patches or mitigation, customers should consider disconnecting systems that are potentially affected from the Internet.
If you have SharePoint [on-premise] In an email to TechCrunch, Michael Sikorski, head of Threat Intelligence Division Unit 42 at Palo Alto Networks, said:
And while it's still unknown who is running the attacks on SharePoint servers, it's the latest in a series of cyberattacks targeting Microsoft customers in recent years.
In 2021, a Chinese-backed hacking group called Hafnium was caught using a vulnerability found in self-hosted Microsoft Exchange mail servers, allowing for mass suppression and delamination of email and contact data from businesses around the world. According to a recent Department of Justice indictment, hackers have breached more than 60,000 servers.
Two years later, Microsoft directly checked the cyberattacks on cloud systems, allowing Chinese hackers to steal sensitive email signature keys that allow the company to access both consumer and enterprise email accounts.
Microsoft has also reported repeated intrusions from hackers related to the Russian government.
Do you know more about SharePoint cyberattacks? Are you an affected customer? Please contact this reporter securely via a message encrypted with Zackwhittaker.1337.